Sign in
  • Home
  • Products
    • Enforce
    • DMARC Monitor
    • Instant SPF
    • Amplify
  • Solutions
    • Anti-phishing
    • Brand protection
    • Compliance
    • Government
    • Marketing
    • Microsoft
    • Shadow IT
  • About
    • News + awards
    • Partners
    • Team
    • Careers
    • Industry leadership
    • Customer support
  • Learn
    • Resources
    • Blog
    • Customers
  • Support
Request phishing analysis
  • Products
    • Enforce
    • DMARC Monitor
    • Instant SPF
    • Amplify
  • Solutions
    • Anti-phishing
    • Brand protection
    • Compliance
    • Government
    • Marketing
    • Microsoft
    • Shadow IT
  • About
    • News + awards
    • Partners
    • Team
    • Careers
    • Industry leadership
    • Customer support
  • Learn
    • Resources
    • Blog
    • Customers
  • Get started for free
  • Support
  • Sign in
Check to see if you’re protected
☰
Check to see if you’re protected
Share this article
Related posts
  • Blog
    Research: Only 22 of the top 100 retailers are protected by DMARC
  • Blog
    DMARC authentication gets you the deliverability you deserve
  • Blog
    How vulnerable are U.S. election operations to email spoofing?
Valimail blog

The FBI makes DMARC enforcement part of law enforcement

Author: Valimail
FBI tank

The U.S. Federal Bureau of Investigation has something to be proud of: As of last month, it’s no longer possible for hackers to impersonate the agency with emails that appear to come from the FBI.

That’s a change from January, when we noted that FBI.gov — like most of the government domains we checked — was not protected by the gold standard in email authentication, DMARC enforcement. In fact, of the 10 .gov domains we analyzed, only one, SSA.gov, had a DMARC record that was configured correctly and set to enforcement (a policy of quarantine or reject).

Our January finding parallels the Online Trust Association’s 2017 Online Trust Audit, which assesses the security protections of a wide range of organizations. This year the OTA’s audit included email authentication as one of its criteria. The audit found that federal government sites are lagging behind business sites in DMARC implementation and enforcement rates.

Screen Shot 2017-08-17 at 8.47.51 AM-1.png

The OTA’s chart shows DMARC adoption rates across various categories. The “FED” category refers to the top 100 U.S. Federal domains.

With a correctly configured DMARC record set to enforcement, a domain is fully protected from email impersonators. That’s because any mailbox that checks the DMARC status of inbound messages — including every major email provider, such as Google, AOL, Microsoft, and more, comprising 2.7 billion mailboxes in all — will reject messages that appear to come from the protected domain but haven’t actually been authorized by that domain.

Critically, DMARC requires that the From field in a message use the same domain that is being authenticated. With SPF or DKIM alone, you don’t have that guarantee, which leaves the door open for phishers to create messages that pass SPF or DKIM using a domain they control, while putting an unrelated, faked domain in the From field. DMARC shuts that door.

SSA.gov remains fully protected, and FBI.gov now joins the ranks of authenticated .gov domains.

The other eight, however, still lack DMARC records or else have records that have errors or lack an enforcement directive. That includes domains for the IRS (a frequent subject of impersonation attacks), the NSA, the CIA, and even the White House.

The White House, of course, was the target of its own impersonation attack recently. In that case the attacker, calling himself “Email Prankster” and publicizing his exploits on Twitter, was not making any attempt to spoof the From address in his emails, so DMARC would not have made any immediate difference. But if Whitehouse.gov did have email authentication enabled, it might have been easier to flag non-White House email addresses like those used by the prankster.

It’s clear the federal government still has a long way to go to protect its domains. That’s why we agree with Senator Ron Wyden that federal agencies should be required to implement DMARC with a policy of reject or quarantine.

Top photo: Not the FBI’s DMARC enforcement truck. Photo credit: James Duff/Flickr

Back to blog
Published August 17, 2017
  • Authentication
Author: Valimail
Valimail is the global leader in zero-trust email security. The company’s full line of cloud-native solutions authenticate sender identity to stop phishing, protect brands, and ensure compliance; they are used by organizations ranging from neighborhood shops to some of the world's largest organizations, including Uber, Splunk, Yelp, Fannie Mae, Mercedes Benz USA, and the U.S. Federal Aviation Administration. Valimail is the fastest growing DMARC solution, with the most domains at DMARC enforcement, and is the premier DMARC partner for Microsoft 365 environments. For more information visit www.valimail.com.
Resources
Top retailers remain vulnerable to email brand spoofing
Learn more
Email security with Microsoft and Valimail
Learn more
Election email security
Learn more
Email fraud landscape, Summer 2020
Learn more
Preparing for BIMI: A Marketer’s Guide
Learn more
Latest news
Trump’s refusal to concede the election is creating an opening for cy...
Learn more
2020 General Election Results to Directly Impact Tech Industry
Learn more
Why Email Is Still an Election Day Disinformation Risk
Learn more
US elections are still vulnerable to email spoofing
Learn more
Security Gaps Persist, Report Warns, After U.S. Blames Iran In Election Sch...
Learn more
Press releases
Valimail Triples Customer Base, Becomes Top Global DMARC Provider in 2020
Learn more
Valimail: 2020 election infrastructure still vulnerable to email hackers
Learn more
Valimail Announces Selection by ASG for Anti-Phishing and BEC Protection
Learn more
Valimail DMARC Monitor and Valimail Enforce Now Available in the Microsoft ...
Learn more
Valimail Research Finds More Than 1 Million Domains Using Crucial Email Aut...
Learn more
Follow us
Contact us

P: 888.354.6179
E: info@valimail.com

Headquarters

180 Montgomery Street
20th Floor
San Francisco, CA 94104

Valimail Mountain Office

1550 Larimer Street
Suite 271
Denver, CO 80202

Request a full phishing analysis
© Valimail
  • Terms of use
  • Privacy Policy
  • Do not sell my personal information
  • Website terms of use
  • Phishing Analysis
  • Domain Checker
  • Products
  • Enforce
  • DMARC Monitor
  • Instant SPF
  • Amplify
  • Solutions
  • Anti-phishing
  • Brand protection
  • Compliance
  • Government
  • Marketing
  • Microsoft
  • Shadow IT
  • About
  • News + awards
  • Partners
  • Team
  • Careers
  • Industry leadership
  • Customer support
  • Learn
  • Resources
  • Blog
  • Customers